[dns-operations] Signing of the ARPA zone

Doug Barton dougb at dougbarton.us
Mon Mar 22 03:19:00 UTC 2010


On 03/21/10 18:50, Jay Daley wrote:
> 
> On 22/03/2010, at 1:39 PM, Doug Barton wrote:
> 
>> I know that historically not all of the roots have served the ARPA zone,
>> but I'm wondering if it wouldn't make sense to make them all consistent
>> at this point.
> 
> I fail to see the value of consistency here when I can see plenty of value in the present inconsistency.  For example, by ensuring that an attack on the ARPA zone does not include all root servers as coincident targets.  If anything, fewer root servers should also be serving the ARPA zone.
> 
> Was there a benefit you had in mind or is it just an OCD-like impulse for Internet architecture? ;-) 

Hey, leave my OCD out of it! :)

Assuming you have a point above (not sure you do, but let's assume),
having 1 out of 13, and arguably one of the lesser-provisioned of the 13
at that, not subject to the DOS is of dubious value, for a variety of
reasons that I can elaborate if desired. It would make more sense if
only say half the roots were serving ARPA.


Doug

-- 

	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/




More information about the dns-operations mailing list